The Crossfire
Attack
MIN SUK KANG, SOO BUM LEE, VIRGIL D. GLIGOR
E C E D E PA R T M E N T A N D C Y L A B
CARNEGIE MELLON UNIVERSITY
2013 IEEE Symposium on Security and Privacy
Outline
INTRODUCTION
THE CROSSFIRE ATTACK
ATTACK PERSISTENCE AND COST
EXPERIMENT SETUP AND RESULTS
RELATED WORK
CONCLUSION
2
Outline
INTRODUCTION
THE CROSSFIRE ATTACK
ATTACK PERSISTENCE AND COST
EXPERIMENT SETUP AND RESULTS
RELATED WORK
CONCLUSION
3
INTRODUCTION – Old DDoS
Typical attack:
floods server with HTTP, UDP, SYN, ICMP…… packets
Persistence:
Maximum: 2.5 days
Average: 1.5days
Adversary’s Challenge:
DDoS Attacks are either Persistent or Scalable to N Servers
N traffic to 1 server => high-intensity traffic triggers network detection
Detection not triggered => low-intensity traffic is insufficient for N srevers
4
INTRODUCTION – Crossfire Attack
Link flooding by botnets cannot be easily countered
Spoofed IP addresses.
Can flood links without using unwanted traffic.
Launch an attack with low-intensity traffic flows that cross a
targeted link at roughly the same time and flood it.
5
INTRODUCTION – Crossfire Attack
A link-flooding attack that degrades/cuts off network
connections of scalable N-server area persistently.
Scalable N-Server areas
N = small(e.g., 1-1000 servers), medium(e.g., all servers in a US state),
large(e.g., the West Coast of the US)
Persistent:
Attack traffic is indistinguishable from legitimate
Low-rate, changing sets of flows
Attack is “ moving target ” for same N-server area
Changing target links before triggering alarms
6
INTRODUCTION – Definitions
7
INTRODUCTION – 1 link crossfire
Attack flows => Indistinguishable from legitimate
8
INTRODUCTION – 1 link crossfire
Attack flows => Alarms not triggered
link-failure detection
latency,
Interior Gateway
Protocol(IGP) routers (OSPF)
Default waiting time: 40sec, Failure detection: 217 sec
Exterior Gateway Protocol(EGP) routers(BGP)
Default waiting time: 180sec, Failure detection : 1,076 sec
9
Outline
INTRODUCTION
THE CROSSFIRE ATTACK
ATTACK PERSISTENCE AND COST
EXPERIMENT SETUP AND RESULTS
RELATED WORK
CONCLUSION
10
THE CROSSFIRE ATTACK
11
THE CROSSFIRE ATTACK
Public servers :
To construct an attack topology centered at target area
Decoy servers:
To create attack flow
12
ATTACK - Step 1 : Link Map Construction
( 72% )
(1) Traceroute ( B->S )
(2) Link-Persistence
13
ATTACK - Step 2 : Attack setup
DR: Degradation Ratio
(1) Flow-Density Computation
(2) Target-Link Selection
14
ATTACK - Step 3 : Bot Coordination
(1) Attack-Flow Assignment
(2) Target-Link Flooding
15
Outline
INTRODUCTION
THE CROSSFIRE ATTACK
ATTACK PERSISTENCE AND COST
EXPERIMENT SETUP AND RESULTS
RELATED WORK
CONCLUSION
16
ATTACK PERSISTENCE AND COST
Data-Plane-Only Attack : Indefinite Duration
Link failure detection
Traffic engineering
Proactive Attack Techniques : Rolling Attack
Maintaining the same target links
Changes bot and decoy servers
Maintaining the same target area
Changes target links
17
ATTACK PERSISTENCE AND COST
Attack bots available from Pay-per Install (PPI) markets [2011]
In experiments : 49% in US or UK, 37% in Europe, 14% rest of the world
10 target links : can be as low as 107,200 bots.
Cost approximately $9K
18
Outline
INTRODUCTION
THE CROSSFIRE ATTACK
ATTACK PERSISTENCE AND COST
EXPERIMENT SETUP AND RESULTS
RELATED WORK
CONCLUSION
19
EXPERIMENT SETUP AND RESULTS
Bots:
1,072 traceroute nodes 620 PlanetLab nodes, 452 LG(Looking Glass) servers
20
EXPERIMENT SETUP AND RESULTS
Decoy servers:
552 institutions (i.e., universities and colleges ) on both the East Coast
(10 states) and West Coast (7 states) of the US
2737 public web servers within Univ1 in Pennsylvania
7411 public web servers within Univ2 in Massachusetts
21
EXPERIMENT SETUP AND RESULTS
Target Areas:
22
EXPERIMENT SETUP AND RESULTS
23
EXPERIMENT SETUP AND RESULTS
 Link map
 Run a traceroute six times to diagnose link persistence
24
EXPERIMENT SETUP AND RESULTS
25
EXPERIMENT SETUP AND RESULTS
 Average rate when flooding 10 Target Links against Pennsylvania
26
Outline
INTRODUCTION
THE CROSSFIRE ATTACK
ATTACK PERSISTENCE AND COST
EXPERIMENT SETUP AND RESULTS
RELATED WORK
CONCLUSION
27
The Coremelt Attack
28
“Spamhaus” Attack
29
RELATED WORK
30
Outline
INTRODUCTION
THE CROSSFIRE ATTACK
ATTACK PERSISTENCE AND COST
EXPERIMENT SETUP AND RESULTS
CONCLUSION
31
CONCLUSION
Attack Characteristics
Undetectability at the Target Area.
Indistinguishability of Flows in Routers
Persistence
Flexibility
New DDoS Attack: The Crossfire Attack
Scalable & Persistent
Internet-scale experiment
Feasibility of the attack
High impact with low cost
32
Q&A
33